b'\x0cApril 30, 2004\nReport No. 04-019\n\n\nEnhancements to the FDIC System\nDevelopment Life Cycle Methodology\n\n\n\n\n             AUDIT REPORT\n\x0c                                                   TABLE OF CONTENTS\n\nBACKGROUND .................................................................................................................. 1\n\nRESULTS OF AUDIT......................................................................................................... 5\n\nFINDING AND RECOMMENDATIONS\n\n          Need for A Risk-Based SDLC Methodology and\n          SDLC Control Framework ..................................................................................... 5\n\n                    Risk-Based SDLC Methodology ................................................................. 5\n\n                    SDLC Control Framework ......................................................................... 7\n\nONGOING INITIATIVES .................................................................................................13\n\nCONCLUSION AND RECOMMENDATIONS...............................................................13\n\n          Recommendations ....................................................................................................14\n\nCORPORATION COMMENTS AND OIG EVALUATION..........................................14\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY..................................16\n\nAPPENDIX II: WATERFALL AND ITERATIVE SYSTEM\n             DEVELOPMENT MODELS.................................................................21\n\nAPPENDIX III: FEDERAL AGENCIES AND INDUSTRY ENTITIES\n              THAT PROVIDED INFORMATION ON SDLC\n              METHODOLOGY AND BEST PRACTICES ...................................25\n\nAPPENDIX IV: PROJECT MANAGEMENT GUIDANCE .........................................26\n\nAPPENDIX V: USEFUL BUSINESS MEASURES OF SYSTEM\n            DEVELOPMENT PERFORMANCE ...................................................27\n\nAPPENDIX VI: CORPORATION COMMENTS...........................................................28\n\nAPPENDIX VII: MANAGEMENT RESPONSES TO RECOMMENDATIONS .......31\n\nFIGURES\n\n          Figure 1:      An Ideal SDLC Methodology and Control Framework ..................... 4\n          Figure 2:      Waterfall Model of System Development.............................................21\n          Figure 3:      Spiral Software Development Life Cycle .............................................22\n          Figure 4:      COTS-Based Systems Approach...........................................................24\n\x0c\x0cannual operating budget; $79 million is budgeted for 2004.3 The FDIC\xe2\x80\x99s Division of\nInformation Resources Management (DIRM) is responsible for maintaining the SDLC\nmethodology.\n\nThe Systems Development Life Cycle Manual Version 3.0, dated July 17, 1997, contains the\nFDIC\xe2\x80\x99s standard methodology for developing its automated information systems.4 The stated\npurpose of the FDIC\xe2\x80\x99s SDLC methodology is to provide a repeatable, uniform process to\ndevelop new FDIC automated information systems and enhance or maintain existing systems.\nThe SDLC methodology applies to all IT projects,5 whether performed by the FDIC or through\ncontract agreements.\n\nThe FDIC has identified the need to improve its SDLC methodology. This need was confirmed\nby the results of the recent DIRM Information Technology Program Assessment,6 which\nrecommended that the SDLC methodology be modernized to adopt newer ways of doing\nbusiness and best practices. DIRM selected a new SDLC methodology, Rational Unified\nProcess\xc2\xae7 on February 20, 2004 and is in the process of engaging a contractor to tailor that\nmethodology to the FDIC environment and ensure that it is scalable for various project sizes and\ntypes. DIRM plans to have the new methodology fully implemented by January 1, 2005.\n\nOffice of Management and Budget (OMB) Circular A-1308 requires the head of each federal\nagency to develop agency policies and procedures that provide for the timely acquisition of\nrequired information technology. Federal agency and industry best practice guidance related to\nan SDLC methodology is identified in various sources, including publications by the General\nAccounting Office (GAO), the Software Engineering Institute (SEI),9 and the Project\nManagement Institute (PMI).10 These publications are discussed throughout this report.\n\nMany methods and techniques can be used to direct system development life cycle processes,\ndepending on the specific circumstances and risks of each development project. Two common\nsystem development models in industry and the federal government include the traditional linear\nsequential \xe2\x80\x9cwaterfall\xe2\x80\x9d model and the more current iterative spiral model. Each phase of the\n\n3\n  These amounts reflect budgeted expenditures for projects coded D (Development), E (Enhancement), P (Planning), and\nF (System Development Support projects).\n4\n  Pursuant to FDIC Directive 1320.3, Systems Development Life Cycle (SDLC) Version 3.0, dated July 17, 1997.\n5\n  An IT project is defined in FDIC Directive 1320.3 as the use of computer technology to automate the business process\nand practices of an organization. IT projects include a variety of initiatives, system development and maintenance\nprojects, infrastructure projects, hardware and software acquisition projects, and IT planning projects.\n6\n  In 2003, the FDIC contracted with Deloitte Consulting to conduct a comprehensive Information Technology Program\nAssessment (ITPA) with the objective of remaking the existing program into one that meets business needs effectively\nand efficiently. The recommendations from this program assessment are being implemented and include a new\norganizational structure, along with a variety of fundamental changes in the processes for managing IT.\n7\n  Rational Unified Process\xc2\xae (RUP) is a risk-based program development methodology that establishes four phases of\ndevelopment. RUP is a registered trademark of Rational Software Corporation, which is a wholly owned subsidiary\nof International Business Machines Corporation.\n8\n  OMB Circular No. A-130 Revised (Transmittal Memorandum No. 4), Management of Federal Information Resources.\n9\n  Carnegie Mellon University\xe2\x80\x99s SEI is recognized for its experience in software development and acquisition processes.\nSEI has developed methods and models that can be used to define disciplined processes and determine whether an\norganization has implemented them. These methods and models are generally recognized as best business practices.\n10\n   The PMI has conducted extensive research and analysis in the field of project management.\n\n\n                                                          2\n\x0cdevelopment process in the waterfall model is clearly defined and generally must be completed\nbefore moving to the next phase. A waterfall approach works well for projects with system\nrequirements that can be defined and fixed early in the project. The spiral model is a risk-based\niterative approach in which the overall project life cycle is composed of several sequential\niterations or \xe2\x80\x9cmini-projects.\xe2\x80\x9d The spiral model works well when all project requirements are not\nknown in advance, as is often the case with large, complex projects. Detailed descriptions of\nthese system development models are provided in Appendix II.\n\nThe FDIC\xe2\x80\x99s current SDLC methodology generally reflects a                              FDIC\xe2\x80\x99s SDLC methodology\nphased, waterfall-type model for systems development.                                 has eight interdependent\nSubsequent phase decisions, deliverables, and products are                            phases:\ndependent on the decisions, deliverables, and products developed                          1. Planning\nin prior phases. Unlike the classic waterfall model, the FDIC                             2. Requirements\n                                                                                              Definition\nmethodology does allow for development phases to be combined                              3. External Design\nor overlapped, depending on the size and complexity of the                                4. Internal Design\nproject.                                                                                  5. Development\n                                                                                          6. Test\nThe GAO Standards for Internal Control in the Federal                                     7. Implementation\n                                                                                          8. Maintenance\nGovernment11 state that appropriate internal (management) control\nhelps program managers improve operational processes and implement new technological\ndevelopments. Management controls include both the day-to-day management of the project,\nsuch as scope, schedule, and cost controls, as well as controls that ensure the project is\neffectively coordinated with other related organizational projects. All of\nthese controls collectively comprise a control framework to provide reasonable assurance of\neffective and efficient operations. An effective control framework for the SDLC methodology\ncomprises:\n\n     \xe2\x80\xa2  project management practices that are implemented to help the project meet cost,\n        schedule, and performance goals;\n     \xe2\x80\xa2 performance assessment practices, such as a post-implementation review12 (PIR)\n        feedback mechanism, that are used to provide continuous SDLC process improvement;\n      \xe2\x80\xa2 investment management practices that ensure projects align with the agency Enterprise\n        Architecture (EA)13 to avoid funding systems that are incompatible or provide redundant\n        capability; and\n     \xe2\x80\xa2 security management practices that ensure security requirements are addressed\n        throughout the SDLC to cost-effectively reduce the risk of loss, misuse, or unauthorized\n        access to or modification of information.\n\n\n11\n   GAO Publication GAO/AIMD-00-21-3.1, dated November 1999.\n12\n   Post-implementation reviews enable the FDIC to confirm the quality of system development projects and improve\nmanagement over IT investments. The reviews provide "in process" feedback on the FDIC\xe2\x80\x99s system development life\ncycle activities.\n13\n   An EA is an institutional systems blueprint that defines in both business and technological terms an organization\xe2\x80\x99s\ncurrent and target operating environments (business and systems) and the way the organization will transition between\nthe two. An EA is a requirement of OMB Circular A-130, based on the provisions of the Clinger-Cohen Act of 1996\n(Public Law No. 104-106, codified throughout the U.S.C.). An EA is also a best practice of leading public and private-\nsector organizations.\n\n\n                                                           3\n\x0cFigure 1 depicts the ideal relationship between the SDLC methodology and its control\nframework.\n\n\n         Figure 1: An Ideal SDLC Methodology and Control Framework\n\n                                      Enterprise Architecture\n                                             Current\n\n\n\n\n                               ent\n\n\n\n\n                                                                Inv agem\n                                                                 Ma\n                        na ct\n                          gem\n                      Ma Proje\n\n\n\n\n                                                                   est\n                                                                    n\n                                                                      me ent\n                                                                        nt\n            Control                        SDLC                                  Control\n          Framework                                                            Framework\n                                         Methodology\n\n\n\n\n                                                                   ess nce\n                                                                         nt\n                      Ma\n                      Sec geme\n\n\n\n\n                                                                Ass orma\n                                                                      me\n                        na\n                         uri nt\n\n\n\n\n                                                                    f\n                                                                Per\n                            ty\n\n\n\n\n                                     Enterprise Architecture\n                                             Target\n\n\n\n\n               Source: OIG analysis of federal agency and industry best practices.\n\n\n\n\n                                                  4\n\x0cRESULTS OF AUDIT\n\nConsistent with DIRM concerns and the DIRM program assessment findings, we determined that\nthe FDIC\xe2\x80\x99s existing SDLC methodology did not ensure the consistent delivery of quality systems\nthat satisfy corporate requirements in a timely and cost-effective manner. Specifically, the\nexisting SDLC methodology does not adequately reflect certain best practices, including a risk-\nbased approach to system development and does not incorporate all the policies and procedures\nnecessary to provide an effective SDLC control framework. Consequently, there is greater risk\nthat projects will not meet cost, time, and performance goals and that the systems will not be\nconsistent with the EA or incorporate adequate security requirements.\n\nNEED FOR A RISK-BASED SDLC METHODOLOGY AND SDLC CONTROL\nFRAMEWORK\n\nThe FDIC\xe2\x80\x99s existing SDLC methodology does not provide for the use of an appropriate system\ndevelopment model based on risk14 considerations for each project. Further, the current SDLC\ncontrol framework is not adequate to:\n\n       \xe2\x80\xa2    integrate project management controls during the development process,\n       \xe2\x80\xa2    assess project performance to ensure project success and provide feedback to continually\n            improve the SDLC methodology,\n       \xe2\x80\xa2    ensure consistency with the EA to avoid system incompatibility and duplication, and\n       \xe2\x80\xa2    incorporate security management throughout the SDLC.\n\nThe FDIC\xe2\x80\x99s SDLC methodology has not been changed since 1997 and, therefore, does not reflect\nrecent best practice guidance related to the use of risk-based system development models and\nprocedures needed in a control framework.\n\nEach component of this finding is discussed separately below.\n\nRisk-Based SDLC Methodology\n\nThe FDIC\xe2\x80\x99s existing SDLC methodology recommends that the project manager consider the\ncomplexity and risk associated with a planned application in determining whether to use the\ncurrent SDLC methodology for the project or whether to adapt the procedures and\ndocumentation required by the methodology. However, the FDIC\xe2\x80\x99s primary system\ndevelopment model is the linear sequential model, which is not the best model for all\ndevelopment projects. The SDLC methodology does not provide adequate guidance on the use\nof other development models, such as iterative models, that better address the specific risks of\ncertain development efforts, especially those involving the use of commercial off-the-shelf\n(COTS) software. The FDIC\xe2\x80\x99s use of COTS software on two of its largest system development\n\n\n\n\n14\n     Risks are situations or possible events that can cause a project to fail to meet its goals.\n\n\n\n                                                                  5\n\x0cefforts, the New Financial Environment (NFE) and the Corporate Human Resources Information\nSystem (CHRIS),15 indicates that such guidance is needed to successfully complete those types\nof development efforts.\n\nOMB Circular A-130 discusses an information system life cycle but does not define a preferred\nSDLC process model for use in the federal government. However, National Institute of\nStandards and Technology (NIST) guidance16 states that many methods exist that can be used by\nan organization to effectively develop an information system, including, among others, the\ntraditional linear sequential, or waterfall model, and the spiral iterative model. NIST notes that\nthe expected size and complexity of the system, development schedule, and length of a system\xe2\x80\x99s\nlife will affect the decision on which the SDLC model will be used.\n\nBest practice guidance issued by\nthe Information Technology                      ITRB Executive Handbook factors for risk-based selection of\n                                                an SDLC model.\nResources Board (ITRB)17\nindicates that an SDLC                          Costs. Consider various development alternatives and estimate\nmethodology should include a risk-              how they might contribute to project costs.\nbased selection of a system\ndevelopment model. The ITRB                     Risks. Consider how much risk the project faces from:\n                                                    \xe2\x80\xa2 High visibility due to public or political attention or\nExecutive Handbook18                                    requirements\nrecommends that government                          \xe2\x80\xa2 Highly compressed development time\nagencies base selection of an                       \xe2\x80\xa2 High uncertainty associated with the system\xe2\x80\x99s\nappropriate development model on                        requirements, the technology that the system will employ,\ncareful consideration of four                           or the way that the system will affect business processes\nproject factors \xe2\x80\x93 cost, risk,\n                                                Complexity. Consider the project to be complex if it:\ncomplexity, and type. These four                   \xe2\x80\xa2 Affects many organizations or functional areas\nfactors address:                                   \xe2\x80\xa2 Results from business process reengineering, dramatically\n                                                       altering the use of information technology\n     \xe2\x80\xa2   user requirements \xe2\x80\x93 the                   \xe2\x80\xa2 Requires new or rapidly advancing technology\n         complexity of the desired                 \xe2\x80\xa2 Requires a long time for development\n         system and when it is\n                                                Type. Consider the general type of the project:\n         needed;                                    \xe2\x80\xa2 New development\n     \xe2\x80\xa2   resource requirements \xe2\x80\x93 the                \xe2\x80\xa2 Modification of an existing system\n         resources (human and                       \xe2\x80\xa2 System integration\n         monetary) available in\n         comparison to those needed;\n\n15\n   Both systems are being implemented with PeopleSoft\xc2\xae COTS software. PeopleSoft\xc2\xae is the second largest enterprise\napplication software company in the world and the single largest vendor of mid-market solutions.\n16\n   NIST Special Publication 800-64, Security Considerations in the Information System Development Life Cycle,\ndated October 2003.\n17\n   The ITRB is a group of senior IT, acquisition, and program managers with significant experience developing,\nacquiring, and managing information systems in the federal government. Members are drawn from a cross section of\nagencies and are selected for their specific skills and knowledge. The ITRB provides, at no cost to agencies, peer\nreviews of major federal IT systems. Through these peer reviews, the ITRB identifies practical solutions to actual or\npotential problems.\n18\n   ITRB publication Project Management for Mission Critical Systems: A Handbook for Government Executives\n(Executive Handbook), dated April 5, 2001.\n\n\n                                                          6\n\x0c     \xe2\x80\xa2   EA requirements \xe2\x80\x93 the desired system alignment with the current and target EA; and\n     \xe2\x80\xa2   security requirements \xe2\x80\x93 what is the risk of system loss or negative publicity.\n\nFor example, an iterative model may be more appropriate for large and complex projects\ninvolving new technology that significantly affects the EA and for which there is a high level of\nuncertainty associated with the system\xe2\x80\x99s requirements, such as security requirements. The\nwaterfall model, however, may be appropriate for smaller projects requiring fewer resources with\nthe purpose of modifying an existing system and for which there is limited impact on the EA.\n\nThe Department of Justice\xe2\x80\x99s (DOJ) SDLC methodology considers the four factors noted above\n(project costs, risks, complexity, and type) and the mission criticality of the planned system\nwhen determining the system development model and level of work required. For example,\nDOJ\xe2\x80\x99s methodology includes a \xe2\x80\x9creduced effort\xe2\x80\x9d work pattern or model that combines some\nSDLC phases, eliminates some of the deliverables otherwise required, and combines some of the\nreviews to reduce project formality. This work pattern applies to any type of development,\nregardless of mission criticality, where the cost, risk, and complexity of the development project\nare low. The DOJ methodology also provides an iterative model suited to situations in which\nexisting business processes will be altered considerably and the full set of detailed functional\nrequirements cannot be reliably defined early in the development life cycle.\n\nThe SEI specifically recommends the use of the spiral iterative model for systems developed\nusing COTS software to better address the risks of those projects. SEI notes that many\norganizations will find the transition to a risk-based spiral development approach one of the\nbiggest challenges in implementing processes for COTS-based systems. Nonetheless, SEI stated\nthat the change is needed because attempts to use traditional sequential processes are rarely\nsuccessful.\n\nSDLC Control Framework\n\nProject Management\n\nThe FDIC has not incorporated all key project management19 practices for system development\nprojects into its existing SDLC methodology. The methodology gives limited attention to project\nmanagement practices aimed at controlling the development process with the goal of delivering\nquality systems within budget and time constraints. The methodology requires and provides\nsome useful guidance on the preparation of key project management documents, such as a\nproject (work) plan20 and a work breakdown structure,21 but does not address other aspects of a\nproject management control framework such as developing management plans (described later in\nthis section of the report), conducting performance assessments, updating the project plan, and\n\n19\n   Project management is the application of knowledge, skills, tools, and techniques to project activities to meet\nproject requirements. Typically, project work, including system development efforts, involves coordination of\ncompeting demands affecting scope, time, cost, risk, and quality; stakeholders with differing needs and expectations;\nand identified requirements.\n20\n   The project plan is a formal, approved document or collection of documents used to manage project execution. The\nproject plan should be expected to change over time as more information becomes available about the project.\n21\n   A work breakdown structure organizes and defines the work within the scope of the project.\n\n\n                                                         7\n\x0cimplementing corrective actions. In particular, the project plan guidance in the SDLC manual\ndoes not include the preparation of management plans, which are a major component of a project\nplan.\n\nThe PMI and project management experts have identified and developed the types of policies,\nprocedures, and practices demonstrated to reduce development time and enhance effectiveness.\nThe PMI\xe2\x80\x99s A Guide to the Project Management Body of Knowledge (PMBOK\xc2\xae Guide)22\nidentifies the importance of project management in managing and meeting project requirements.\nThe PMBOK\xc2\xae Guide documents proven practices, tools, and techniques that have become\ngenerally accepted in the field of project management, including information systems\ndevelopment and implementation.\n\nWe primarily used the PMBOK\xc2\xae Guide, in conjunction\nwith other government and industry guidance, as the         The PMBOK\xc2\xae Guide identifies nine\n                                                            distinct knowledge areas associated\nprimary criteria for reviewing the FDIC\xe2\x80\x99s SDLC              with successful project management:\nmethodology because the guide contains sound and            \xe2\x80\xa2 Integration       \xe2\x97\x8f Scope\nprudent practices related to successful project\n                                                            \xe2\x80\xa2 Time              \xe2\x97\x8f Cost\nmanagement. The key project management activities\n                                                            \xe2\x80\xa2 Quality           \xe2\x97\x8f Human resources\nidentified in the PMBOK\xc2\xae Guide include\n                                                            \xe2\x80\xa2 Communication \xe2\x97\x8f Risk\npreparing the project plan, preparing management plans\n                                                            \xe2\x80\xa2 Procurement management\nfor the PMBOK\xc2\xae knowledge areas, conducting\nperformance assessment, updating the project plan, and\nimplementing corrective action. Additional information about the PMBOK\xc2\xae Guide is included\nin Appendix IV of this report.\n\nAccording to the PMBOK\xc2\xae Guide, a project plan should be prepared as part of project\nintegration management. Also, management plans should be prepared for the areas of risk,\nscope, time/schedule, cost, quality, staffing, communications, and procurement. The\nmanagement plans provide consideration for various contingencies and describe how each\ncontingency will be managed. For example, the staffing management plan describes when and\nhow human resources will be brought onto and taken off the project team. The cost management\nplan describes how cost variances will be managed (e.g., different responses to major variances\nthan to minor ones.)\n\nAnother important management principle currently not incorporated in the SDLC methodology\nis an earned value management23 system (EVMS). Performance measurement expressed in\nterms of earned value management is a tool to measure performance against the project plan. It\nintegrates scope, cost, and schedule measures to help the project management team assess project\nperformance. There are numerous benefits to an EVMS. First, it requires an adequate\nunderstanding of the work to be performed in order to assign a time-phased budget from the\n\n22\n   The PMBOK\xc2\xae Guide was published in 2000 and is an approved standard of both the American National Standards\nInstitute and the Institute of Electrical and Electronics Engineers.\n23\n   Earned value provides a valid method of measurement to compare planned project accomplishment to actual\naccomplishment. By comparing planned milestone completion against actual performance, project managers can\nestimate the amount of work remaining. The underlying concept of EVMS is that a project can be managed to\nreduce overall cost and schedule while delivering a quality product.\n\n\n                                                       8\n\x0cplanned start through completion of the work. The performance management baseline\nestablished in this manner readily identifies problem areas such as underfunding, unrealistic\nschedules, and poor requirements or work content definition that can lead to later cost, schedule,\nand performance problems. An EVMS also serves as an excellent early warning system by\nidentifying adverse variances in cost, schedule, and performance that may be driven by technical\nor business issues. Corrective actions based on an analysis of these variances can be more timely\nand the effects more visible than without an EVMS.\n\nOMB Circular A-1124 requires federal agencies to institute performance measures and\nmanagement processes that monitor and compare actual performance to planned results.\nAgencies should use a performance-based acquisition management system, such as an EVMS, to\nobtain timely information on the progress of capital investments and to measure progress toward\nmilestones in an independently verifiable basis in terms of cost, capability of the investment to\nmeet specified requirements, timeliness, and quality. See Appendix V for the business measures\nGAO identified as useful for measuring system development performance.\n\nOIG audits of the NFE and XBAT system development efforts25 have identified a lack of project\nmanagement practices for communication, risk, scope, time, and procurement management.\nHowever, the FDIC has not yet fully incorporated corrective actions in the SDLC methodology.\nUntil these initiatives are in place and additional project management guidance is issued, the\nFDIC cannot be certain that it has addressed all of the risk factors that can undermine project\nsuccess and there is greater potential for developing systems that exceed cost and schedule goals\nand do not meet users\xe2\x80\x99 needs.\n\nIn 2003, the FDIC identified the need for improved project management by commencing two\ninitiatives in the project management arena. The first initiative was to begin formulating a\nCorporate Interdivisional Working Group for project management. The FDIC plans to offer\ntraining through the Corporate University to address identified corporate needs and expectations\nfor project management. Additionally, DIRM has established an initiative to develop a program\nmanagement office and has appointed an Assistant Director to establish the office. These\ninitiatives are still in the planning stages and have not yet been implemented to improve the\nSDLC control framework.\n\nPerformance Assessment\n\nThe existing SDLC methodology incorporates performance measurement activities, such as\nquality assurance testing and a PIR process; however, DIRM has not always used the results of\nthese activities to improve the existing SDLC methodology. Performance assessment is a critical\nfunction for measuring project progress and comparing it with established baselines. For\nmaximum return on investment, the strategic value of IT projects should be documented before\nfunding decisions are made and then verified after implementation. Common techniques for\nmeasuring performance include quality assurance testing and PIRs.\n\n24\n  OMB Circular No. A-11, Preparation, Submission, and Execution of the Budget, dated July 2003.\n25\n The New Financial Environment Project Control Framework (Report No. 03-016), dated March 5, 2003; New\nFinancial Environment Scope Management Controls (Report No. 03-045), dated September 29, 2003; and\nXBAT Contracting and Project Management (Report No. 04-014) dated March 26. 2004.\n\n\n                                                    9\n\x0cQuality Assurance Testing: The existing SDLC methodology identifies the need for quality\nassurance testing and refers to the FDIC Quality Assurance26 program for guidance in the\ncompletion of this testing. The FDIC has performed quality assurance testing of selected recent\nsystem development efforts, but DIRM has not always used the results of that testing to improve\nthe existing methodology. The FDIC issued Circular No. 1360.18, FDIC Software Quality\nAssurance Policy, on August 6, 2003 to provide direction on the independent testing and\nassessment of FDIC applications throughout their life cycle. The testing, such as independent\nverification and validation, helps answer the questions of \xe2\x80\x9cwas the system built correctly?\xe2\x80\x9d and\n\xe2\x80\x9cwas the correct system built?\xe2\x80\x9d The answers to these questions should be used to improve not\nonly the performance of individual projects but also the adequacy of the overall SDLC\nmethodology.\n\nPIR Process: The existing SDLC methodology\n                                                                         The objectives of the FDIC\xe2\x80\x99s PIR process\nincludes reference to the PIR process, which is now                      are to:\nmanaged by the DIRM Information Technology\nEvaluation Section. The PIR process includes review                      \xe2\x80\xa2 Assess management and end user\nof the SDLC documentation and interviews with the                          satisfaction with the product.\nproject team 6 months after a system is implemented.                     \xe2\x80\xa2 Determine how well the project met time\nRecent PIRs have identified corrective actions needed                      schedules, implementation dates, and life-\n                                                                           cycle cost projections.\nfor continual SDLC process improvement. However,                         \xe2\x80\xa2 Identify best practices, lessons learned,\nnot all corrective actions needed to improve the SDLC                      and other improvements to project\nmethodology have been implemented. Until                                   management activities.\nDecember 2003, DIRM had not formally tracked PIR                         \xe2\x80\xa2 Identify the tangible and intangible\nrecommendations to determine the status of the                             benefits achieved.\nrecommended corrective actions.\n\nOMB Circular A-130 requires that agencies conduct PIRs of information systems and\ninformation resource management processes to validate estimated benefits and costs and to\ndocument effective management practices for broader use. Agencies are to complete an\nevaluation of information systems once they are operational to validate projected savings,\nchanges in practices, and effectiveness in serving stakeholders. These PIRs may also serve as\nthe basis for agency-wide lessons learned on effective management practices.\n\nEnterprise Architecture and Investment Management\n\nThe existing SDLC methodology acknowledges the importance of considering the FDIC\xe2\x80\x99s EA27\nduring a system development effort and refers to DIRM\xe2\x80\x99s Strategic Planning Section (SPS) for\nguidance in using EA information in evaluating individual projects for alignment. The SPS has\ndeveloped an EA Blueprint defining, at a high level, the FDIC\xe2\x80\x99s current and target business and\nIT architectures. Additionally, the FDIC recently issued an EA policy, newsletter, and other\ngeneral guidance indicating that information technology projects should align with the FDIC\xe2\x80\x99s\nEA. However, the SPS has not issued detailed guidance on how compliance with this important\nEA control activity is to be accomplished. For example, current guidance does not describe how\n\n26\n   Quality assurance is the technical and administrative process to ensure the complete and accurate specification,\nimplementation, and verification of all FDIC application requirements.\n27\n   Referred to throughout the existing methodology as an information architecture.\n\n\n                                                            10\n\x0cto use the EA Blueprint and repository information to evaluate alignment throughout the SDLC\nfor all information technology projects. Current guidance also does not address how the\nevaluation for EA alignment will be used to support funding decisions when system development\nis based on an iterative development model. Each of these issues is discussed in more detail\nbelow.\n\nThe federal Chief Information Officer\xe2\x80\x99s (CIO) Council28 acknowledges that an EA is essential\nfor evolving information systems and developing new systems that optimize their mission value.\nOMB Circular A-130 instructs federal agencies to base investments in information technology on\nthe agency EA. Additionally, the GAO has noted that developing, maintaining, and using\narchitectures, or blueprints, is a best practice in engineering individual systems and entire\nenterprises. GAO has also acknowledged that it is important to ensure that systems are built and\nmodified within the context of the EA that the system supports.\n\nAlignment with FDIC\xe2\x80\x99s EA: The DIRM SPS has prepared draft checklists that could be used\nwhen reviewing SDLC documents, such as business cases, for evidence of EA alignment.\nHowever, these checklists have been issued in draft form only and do not provide detailed\nguidance for evaluating a project for alignment with the FDIC\xe2\x80\x99s EA. For example, the planning\nphase EA checklist No. 1 addresses whether the project adequately identifies data sharing and\nexchange opportunities, which could indicate EA alignment. The checklist, however, does not\nexplain how to identify and document such opportunities. Also, the SPS has prepared draft\nguidance on how and when to report EA alignment information to oversight committees, for both\nlarge and small projects, but the guidance does not reflect how the procedures would change for\niterative development processes. The evaluation of EA alignment may be required more\nfrequently with an iterative development process because the complete system architecture may\nnot be known in the early stages of the project but is developed and refined over time as each\niteration is completed.\n\nThe GAO found that attempting to define system-level architectures (e.g., requirements and\ndesign specifications) and to use them to build systems without an EA or alignment with an EA\noften results in systems that are duplicative, poorly integrated, unnecessarily costly to maintain,\nand limited in terms of optimizing mission performance.\n\nInvestment Funding Based on EA Alignment: The FDIC\xe2\x80\x99s EA policy29 requires that\nconsistency with the EA shall be one of the decision criteria for funding IT investments. Small\nand large projects should be reviewed for alignment with the EA before funding is authorized.\nThe FDIC\xe2\x80\x99s Capital Planning and Investment Management (CPIM)30 process and the EA\nBlueprint provide general guidelines for when and how to perform these funding reviews. These\nguidelines, however, do not yet address funding issues that may arise from the use of iterative\ndevelopment processes. The FDIC guidance does not describe how and when EA alignment will\nbe reviewed and the related funding established for each iteration. Consequently, the FDIC\n\n28\n   The CIO Council serves as the principal interagency forum for improving practices in the design, modernization, use,\nsharing, and performance of federal agency information resources.\n29\n   FDIC Directive 1303.1, FDIC Enterprise Architecture Program, dated November 7, 2003.\n30\n   The CPIM process identifies the steps and activities necessary to ensure that the FDIC\xe2\x80\x99s capital investments are well\nthought out and cost-effective and support the mission and business goals of the Corporation.\n\n\n                                                           11\n\x0cwould not be assured that IT investments developed using an iterative approach are adequately\nevaluated for EA alignment prior to funding.\n\nAdditionally, the existing SDLC methodology indicates that a project may need a cost-benefit\nanalysis (CBA) but does not provide guidance for its preparation or the criteria for updating the\nCBA. The CPIM requires a CBA as part of the business case to seek funding for the system\ndevelopment effort and that project sponsors submit an updated CBA when the procurement\nprocess or other factors result in substantially different cost estimates. However, the CPIM\nprocess provides only limited guidance on identifying and evaluating the factors that might\nrequire an update to the CBA.\n\nOMB Circular A-130 requires federal agencies to prepare\n                                                                             Reasons for updating a CBA may\nand update a CBA31 for each information system                               include:\nthroughout its life cycle. OMB explains that cost-benefit\nanalyses provide vital management information on the most                    \xe2\x80\xa2 Significant changes in projected\nefficient allocation of human, financial, and information                      costs and benefits,\nresources to support agency missions. When preparing                         \xe2\x80\xa2 Significant changes in information\n                                                                               technology capabilities,\nCBAs to support IT investments, agencies should seek to\n                                                                             \xe2\x80\xa2 Major changes in requirements\nquantify the improvements in agency performance results                        (including legislative or regulatory\nthrough the measurement of program outputs. This                               changes), or\nanalysis should not merely serve as budget justification                     \xe2\x80\xa2 Empirical data based on\nmaterial, but should be part of the ongoing management                         performance measurement gained\noversight process to ensure prudent allocation of scarce                       through prototype results or pilot\n                                                                               experience.\nresources.\n\nOMB Circular A-130 does not require a new CBA at each stage of the information system life\ncycle, but notes it is useful to refresh these analyses with up-to-date information to ensure the\ncontinued viability of an information system prior to and during implementation.\n\nSecurity Management\n\nNIST Special Publication 800-64 Security Considerations in the Information System\nDevelopment Life Cycle, dated October 2003, notes that including information security early in\nthe SDLC will usually result in less expensive and more effective security than adding it to an\noperational system. To be most effective, information security must be integrated into the SDLC\nfrom system inception. The Systems Development Life Cycle Manual Version 3.0, dated July 17,\n1997, recognizes the need to consider security activities throughout the SDLC and references\nguidance on the security requirements for each project, including security certification and\naccreditation (C&A).32 DIRM has issued Internal Policy Memorandum 03-011, Policy on\nIncorporating Information Security into the System Development Life Cycle, dated December 19,\n2003, to provide interim guidance for FDIC\xe2\x80\x99s C&A Program by requiring that the information\nsecurity tasks, deliverables, and approval requirements be addressed in each of the eight phases\nof the current SDLC methodology. The DIRM policy memorandum notes that a more robust\n\n31\n  Referred to in OMB Circular A-130 as a benefit-cost analysis (BCA).\n32\n  C&A refers to the official management decision to authorize operation of an information system that has undergone a\ncomprehensive evaluation of the management, operational, and technical security controls in an information system.\n\n\n                                                         12\n\x0cformalized C&A Program will follow. In addition, the interim guidance does not reference draft\nC&A guidelines proposed by NIST.33 Until more detailed guidance is provided as part of the\nFDIC C&A program, there may be inconsistent applications of C&A practices that affect, among\nother things, testing requirements.\n\nONGOING INITIATIVES\n\nThe FDIC has recognized the importance of replacing its SDLC methodology. One of the 2004\nCorporate Performance Objectives is to select and implement a new SDLC methodology. In that\nregard, DIRM selected a new risk-based SDLC methodology on February 20, 2004 and is in the\nprocess of hiring a contractor to tailor that methodology to the FDIC environment and ensure\nthat it is scalable for various projects. Specifically, the draft Statement of Work (SOW) requires\nthe contractor to tailor the SDLC methodology to address FDIC-specific requirements, including\ndevelopment and maintenance of projects of varying size, complexity, and risk as well as COTS\nproducts. The SOW also requires the contractor to assess which FDIC policies and procedures\nmay need to be modified and/or defined such as integration with the Program Management\nOffice, quality assurance (performance assessment) function, EA, and C&A. The contractor,\nhowever, is not tasked with preparing any of the policy and procedure changes or additions that\nmay be needed.\n\nAdditionally, DIRM has either issued or is developing guidance for project management,\nperformance assessment, and EA. However, much of the guidance is at the conceptual stage and\nis not supported by detailed information for the project managers to use in developing\ninformation systems. Further, DIRM has developed an interim policy on C&A, but has not yet\nfinalized procedures for implementing the policy.\n\nCONCLUSION AND RECOMMENDATIONS\n\nOur audit has identified best practices that should be associated with the SDLC methodology and\nrelated control framework that will be adopted by the Corporation. Because the FDIC has\nselected a risk-based SDLC methodology and developed a SOW to implement the new\nmethodology, we are not making any recommendations related to the selection of a risk-based\nSDLC methodology. However, as DIRM implements the new methodology, DIRM should\npromptly implement the necessary control framework. Doing so would provide the Corporation\nwith greater assurance that projects meet cost, schedule, and quality goals; the development\nprocess continually improves; all system development projects are consistent with the FDIC EA,\nand effective security controls exist in all completed systems.\n\n\n\n\n33\n  See NIST draft Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal\nInformation Technology Systems, dated June 2003. This publication will supersede Federal Information Processing\nStandards Publication 102, Guidelines for Computer Security Certification and Accreditation, dated September\n1983, and will establish a standard process, general tasks, and specific subtasks to certify and accredit federal IT\nsystems.\n\n\n\n                                                         13\n\x0cRecommendations\n\nWe recommend that the CIO and Director, DIRM, establish and issue appropriate detailed\nimplementing guidance to:\n\n(1)       Integrate the key project management activities identified in the PMBOK\xc2\xae guide with the\n          development process. These key activities include preparing the project plan, preparing\n          the management plans in the nine knowledge areas, and adopting an EVMS.\n(2)       Incorporate the results of performance assessment practices such as performing quality\n          assurance testing and PIRs into the development process.\n(3)       Align systems development with the FDIC\xe2\x80\x99s EA, establish how funding will be reviewed\n          and provided in an iterative development environment, and update cost-benefit analyses\n          during the life cycle of the system.\n(4)       Incorporate NIST guidance for C&A of security requirements.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn April 27, 2004, the DIRM Director provided a written response to the draft report. The\nresponse is presented in its entirety in Appendix VI of this report. DIRM generally concurred\nwith the report\xe2\x80\x99s findings and agreed to continue ongoing actions regarding the report\xe2\x80\x99s\nrecommendations. These recommendations are considered resolved but will remain\nundispositioned and open until we have determined that agreed-to corrective action has been\nimplemented and is effective. The responses to the recommendations are summarized below.\n\n      \xe2\x80\xa2   DIRM will establish an Enterprise Program Management Office (PMO), which will\n          standardize project management processes across all information technology projects.\n          This will include improved procedures for project initiation, project planning, project\n          execution and control, and project closeout.\n\n      \xe2\x80\xa2   The DIRM PMO will periodically review the results from performance assessment\n          activities (such as quality assurance testing and post-implementation reviews) to ensure\n          that best practices and lessons learned are incorporated into future project/development\n          processes.\n\n      \xe2\x80\xa2   The Corporation\xe2\x80\x99s EA program will assist in supporting decision-making bodies in\n          determining which new system projects will be undertaken and their alignment with new\n          or existing architectures. The PMO will be one of many additional control points to\n          ensure that the Corporation\xe2\x80\x99s EA is understood and applied to projects.\n\n      \xe2\x80\xa2   FDIC guidelines for applying new C&A standards are in place, and briefings are\n          underway to discuss the new processes and evaluate impact on project plans.\n\nWith respect to the response addressing C&A standards, more needs to be done before the\nguidelines are fully established and in place. Specifically, DIRM has issued an initial policy to\nprovide a framework for FDIC\xe2\x80\x99s federally-mandated C&A program and has drafted a policy\n\n\n                                                  14\n\x0cspecifically focused on C&A. In addition, DIRM issued Guidelines on Implementing\nCertification and Accreditation for FDIC Systems, on February 17, 2004. These guidelines\noutline C&A activities, but do not provide detailed implementing guidance on how C&A is to be\nconducted. Without such detailed guidance, FDIC cannot be assured that C&A activities,\nincluding testing, will be conducted effectively and consistently.\n\nThe CIO also provided comments on DIRM\xe2\x80\x99s Transformation program, including initiatives on\nadoption of improved practices in systems engineering, project management, capital investment\nplanning, enterprise architecture, and security planning. One of the goals of the Transformation\nprogram is to assist DIRM in restructuring its operations in order to provide the most cost-\nefficient, customer-oriented service possible to all FDIC divisions and offices. The\nTransformation Office\xe2\x80\x99s mission is to manage the organizational and program changes, resulting\nfrom a 2003 independent IT Program Assessment, that are approved for implementation by\nFDIC and DIRM senior management.\n\n\nTransformation activities began this year and will continue over a period of several years. The\nCIO stated that DIRM is addressing the issues discussed in this report in a highly-integrated and\nin-depth manner through the Transformation program and that significant progress and results in\nthese areas are expected by the end of 2005.\n\n\n\n\n                                               15\n\x0c                                                                                    APPENDIX I\n\n                       OBJECTIVE, SCOPE, AND METHODOLOGY\nObjective\n\nThe overall objective of our audit was to determine whether the FDIC\xe2\x80\x99s SDLC methodology ensures\nthe delivery of quality systems that satisfy corporate requirements in a timely and cost-effective\nmanner. As part of our audit, we examined: (1) The adequacy and cost-effectiveness of management\ncontrols in the FDIC\xe2\x80\x99s SDLC methodology and (2) federal agency and industry best practices for\nmanaging information system development projects. To achieve this objective, we conducted on-\nline research, interviews, and analysis of government and industry best practices in SDLC\nmethodology. Appendix III contains a complete listing of the agency and industry entities that\nprovided information on SDLC. We performed our work from November 2003 through February\n2004 in accordance with generally accepted government auditing standards.\n\nScope\n\nDIRM engaged a consultant to conduct an Information Technology Program Assessment (ITPA)\nof the FDIC\xe2\x80\x99s IT program management in 2003. The consultant recommended enhancing and\nupdating the SDLC methodology as one of three activities that could be addressed in a 3- to 6-\nmonth timeframe. The consultant\xe2\x80\x99s report stated that the objective of the SDLC review should\nbe to refine the SDLC methodology by incorporating the best elements of more recent\napproaches to system development. The following key activities should be included in\ncompleting the methodology selection:\n\n        \xe2\x80\xa2   review the current SDLC methodology,\n        \xe2\x80\xa2   gather information on current thinking and best practices in SDLC,\n        \xe2\x80\xa2   collect external benchmarks that can be used to identify strengths and areas for\n            improvement, and\n        \xe2\x80\xa2   gather and prioritize requirements for enhancing methodology.\n\nWe focused our efforts on addressing these key activities.\n\nIn addition to reviewing the SDLC methodology, we reviewed the SDLC IT control framework.\nThis control framework includes project management, performance assessment, the enterprise\narchitecture, and security management.\n\nCurrent SDLC Process\n\nTo gain an understanding of FDIC\xe2\x80\x99s current SDLC practices, we reviewed:\n\n    \xe2\x80\xa2   FDIC System Development Life Cycle Manual version 3.0, dated July 1997.\n    \xe2\x80\xa2   FDIC Circular 1320.3, Systems Development Life Cycle Version 3.0, dated July 17,\n        1997.\n    \xe2\x80\xa2   FDIC Circular 1320.4, FDIC Software Configuration Management Policy, dated July 8,\n        2003.\n\n\n                                                16\n\x0c                                                                                APPENDIX I\n\n    \xe2\x80\xa2   FDIC Circular 1360.18, FDIC Software Quality Assurance Policy, dated August 6, 2003.\n    \xe2\x80\xa2   FDIC Circular 1303.1, FDIC Enterprise Architecture Program, dated November 7,\n        2003.\n    \xe2\x80\xa2   DIRM Policy No. 03-011, Policy on Incorporating Information Security into the System\n        Development Life Cycle, dated December 19, 2003.\n\nAreas Identified for Improvement\n\nTo obtain an understanding of areas for improvement in the FDIC SDLC methodology and\nperceived best practices, we interviewed DIRM assistant directors responsible for application\ndevelopment. We conducted interviews of two project managers assigned to DIRM-identified\nproject successes for best practices. We also interviewed other DIRM employees and the ITPA\nconsultant and analyzed the FDIC\xe2\x80\x99s Systems Development Life Cycle Manual Version 3.0 and\nprior OIG reports to identify potential areas for improvement in the FDIC\xe2\x80\x99s current SDLC\nprocess. Specifically, we reviewed three recently issued OIG reports:\n\n    \xe2\x80\xa2  The New Financial Environment Project Control Framework\n      (Report No. 03-016), dated March 5, 2003;\n    \xe2\x80\xa2 New Financial Environment Scope Management Controls\n      (Report No. 03-045), dated September 29, 2003; and,\n    \xe2\x80\xa2 XBAT Contracting and Project Management (Report No. 04-014) dated March 26,\n       2004.\n\nThese reports concluded that improvements are needed in the SDLC practices to help ensure that\nFDIC system development efforts are more effectively controlled for scope, cost, and quality.\n\nSelected Federal Agencies With Best Practices\n\nTo select agencies with SDLC best practices, we contacted the General Accounting Office\n(GAO) whose work in government oversight provided an overview of agency activities for\nsystem development. The GAO identified SDLC best practices adopted by the Federal Aviation\nAdministration (FAA) and the Department of the Treasury\xe2\x80\x99s Financial Management Services.\nWe also included the Federal Reserve Board, Department of Labor, and Department of Justice in\nour analysis of SDLC best practices based on preliminary research conducted by DIRM or\nidentified through research with other agencies.\n\nSelected Industry Entities With Best Practices\n\nWe conducted research to select industry entities with SDLC best practices. Our research\nshowed and GAO confirmed that Carnegie Mellon\xe2\x80\x99s Software Engineering Institute is a leading\nauthority on SDLC. Also, to identify process improvements we obtained SDLC best practices\nwork conducted by International Business Machines and Deloitte Consulting as part of two\ncontracts with DIRM. We also selected Software Productivity Research to provide insight on\n\n\n\n                                              17\n\x0c                                                                                  APPENDIX I\n\nsoftware development performance measurement. Finally, Forrester Group and\nPricewaterhouseCoopers presented best practices on project management to some FDIC\nmanagers; we reviewed those practices for applicability to SDLC best practices.\n\nMethodology\n\nFor each of the entities above, we obtained documentation related to SDLC or project\nmanagement, conducted interviews to clarify our understanding of the documents presented, and\nreviewed the theories, practices, processes, and controls. We interviewed the FDIC personnel\ncurrently responsible for maintaining the SDLC to identify the scope of efforts completed to date\nfor SDLC improvement. To obtain relevant information on best practices, we conducted\nextensive on-line research of SDLC theories and methodologies put forward by academicians\nand practitioners.\n\nWe evaluated the FDIC\xe2\x80\x99s SDLC process using industry and Federal agency best practices that\naddressed the potential improvement areas identified through our interviews and reviews of\nreports and the FDIC System Development Life Cycle Manual version 3.0. We used the Project\nManagement Institute\xe2\x80\x99s A Guide to the Project Management Body of Knowledge (PMBOK\xc2\xae),\n2000 Edition as our primary resource for evaluating FDIC\xe2\x80\x99s SDLC project management\nactivities. PMBOK\xc2\xae describes generally accepted project management knowledge and practices\napplicable to most projects by organizing the processes into nine knowledge areas (i.e.,\nintegration, scope, time, cost, quality, human resources, communication, risk, and procurement\nmanagement). The nine knowledge areas provide the practices needed to manage a successful\nSDLC. In addition, we evaluated the SDLC for coverage of security controls cited in National\nInstitute of Standards and Technology (NIST) Special Publication 800-37, Guide for the Security\nCertification and Accreditation of Federal Information Systems and post-implementation review\nrequirements contained in Office of Management and Budget (OMB) Circular A-130,\nTransmittal 4.\n\nTo enhance our understanding of the enterprise architecture framework as it relates to the SDLC,\nwe reviewed three GAO reports:\n\n   \xe2\x80\xa2   Information Technology - Enterprise Architecture Use Across the Federal Government\n       Can Be Improved, GAO-02-6, dated February 2002.\n   \xe2\x80\xa2   Information Technology \xe2\x80\x93 OMB Leadership Critical to Making Needed Enterprise\n       Architecture and E-government Progress, GAO-02-389T, dated March 21, 2002.\n   \xe2\x80\xa2   Air Traffic Control \xe2\x80\x93 FAA\xe2\x80\x99s Modernization Efforts \xe2\x80\x93 Past, Present, and Future,\n       GAO-04-227T, dated October 30, 2003.\n\nLastly, we contacted the FDIC\xe2\x80\x99s Corporate University and the manager of DIRM\xe2\x80\x99s new Program\nManagement Office to determine the actions being taken to promote and develop good project\nmanagement skills for SDLC project managers.\n\n\n\n\n                                               18\n\x0c                                                                                                         APPENDIX I\n\nManagement Controls\n\nWe limited our assessment of DIRM\xe2\x80\x99s system of internal controls to gaining an understanding of\nthe division\xe2\x80\x99s procedures for developing systems. Specifically, we evaluated (1) the adequacy of\nprocesses to maintain and update procedures and controls; (2) FDIC\xe2\x80\x99s objectives for its SDLC\nprocesses; (3) project management controls for ensuring delivery of quality, risk-managed\nsystems within time and budget constraints; and (4) the FDIC control framework for evaluating\nsystem development efforts. We did not test internal controls; however, the fact that we did not\nperform those tests did not affect our ability to achieve the stated audit objectives or the audit\nresults.\n\nGovernment Performance Results Act34\n\nThe FDIC 2004 Corporate Performance Objectives include the selection and implementation of a\nnew SDLC methodology. To meet this objective, DIRM has undertaken a review of the current\nSDLC and federal agency and industry best practices related to systems development with a goal\nof selecting and implementing a new SDLC methodology by November 1, 2004.\n\nReliance on Computer Generated Data\n\nWe relied on computer-generated data from DIRM\xe2\x80\x99s Project Number Information Application to\ncompute the estimated budgeted system development costs for 2003 and 2004. Also, we used\ncomputer-generated data from the FDIC Financial Data Warehouse to identify the total FDIC\nbudget for 2003. We did not perform specific tests to determine the reliability of computer-\nprocessed data, because the results of our audit were not based on such data.\n\nSummary of Prior Audit Coverage\n\nThe OIG issued Report No. 97-012, Audit of FDIC\xe2\x80\x99s System Development Life Cycle\nMethodology, dated January 30, 1997. This report provided nine recommendations for\nimproving the FDIC SDLC methodology. The report indicated that management provided\nresponses for all nine recommendations that met the requisites of a management decision. We\ndid not perform any detailed procedures to specifically follow up on the corrective actions\nrelated to the nine recommendations.\n\n\n\n\n34\n   The Government Performance and Results Act of 1993 (Pub. L. No. 103-62, codified at Title 5 and 31, U.S.C.) was\nenacted to improve the management, effectiveness, and accountability of federal programs. The Results Act requires\nmost federal agencies, including the FDIC, to develop a strategic plan that broadly defines the agency\'s mission and\nvision, an annual performance plan that translates the vision and goals of the strategic plan into measurable objectives,\nand an annual performance report that compares actual results against planned goals.\n\n\n\n                                                            19\n\x0c                                                                                    APPENDIX I\n\nCompliance With Laws and Regulations\n\nWe did not identify any laws or regulations specifically requiring an SDLC methodology. We\nalso did not develop specific audit procedures to detect illegal acts because we did not consider\nillegal acts to be significant to the audit objective. However, throughout our audit, we were\nsensitive to the potential of illegal acts, including fraud, waste, abuse, and mismanagement.\n\n\n\n\n                                                20\n\x0c                                                                                            APPENDIX II\n\n\n         WATERFALL AND ITERATIVE SYSTEM DEVELOPMENT MODELS\n\nWaterfall Model\n\nThe traditional model for system development -- the linear sequential or \xe2\x80\x9cwaterfall\xe2\x80\x9d model --\nprovides for clearly defined process phases. Each phase of development will proceed in order,\nwith limited, if any, overlap or iterative steps. Generally, each phase must be completed and\napproved before the next phase can commence. Figure 2 provides an example of the waterfall\napproach.\n                       Figure 2: Waterfall Model of System Development\n\n\n         Requirements\n           Analysis\n\n                        Preliminary\n                          Design\n\n\n                                      Detailed Design\n\n                                                        Code & Unit\n                                                          Testing\n\n                                                                      Integration\n                                                                        Testing\n\n                                                                                    System Testing\n\n\n\n                                                  T I M E\n\n\n\n                   Source: University of Calgary Software Engineering Research Network.\n\nThe waterfall model has been found to work well for projects for which requirements are well\nunderstood and fixed early on, such as projects involving changes to existing systems. The\ndisadvantage of a waterfall model is that it does not allow for much revision. Once an\napplication is in the testing stage, it is difficult to go back and change what was not known or\nwell thought out in the concept stage.\n\nIterative Development Models\n\nIterative development is an approach to building software in which the overall project life cycle\nis composed of several sequential iterations. Each iteration is a self-contained mini-project\ncomposed of activities such as requirements analysis, design, programming, and test. The final\niteration release is the planned product released to the client.\n\n\n\n\n                                                        21\n\x0c                                                                                           APPENDIX II\n\n\nThe advantage of using iterative development is that the end user is continually involved\nthroughout the development process, making it possible to make changes easily and identify and\nsolve problems at each stage of development. These models work best when not all project\nrequirements are known in detail ahead of time. However, problems may be encountered in\nintegrating the many iterative releases.\n\nFigure 3 below represents one phase of a project developed using the spiral iterative model. As\nnoted in the figure, the spiral model provides a cyclic approach for incrementally increasing a\nsystem\'s degree of definition and implementation while decreasing its degree of risk.\n\n                       Figure 3: Spiral Software Development Life Cycle\n\n\n\n\n       Source: Understanding the Spiral Model as a Tool for Evolutionary Acquisition by Barry Boehm and\n       Wilfred J. Hansen, January 2001\n\n\n\n\n                                                    22\n\x0c                                                                                                APPENDIX II\n\nThe GAO has recognized the FAA\xe2\x80\x99s35 spiral development approach. The GAO noted that\nalthough the use of this approach can increase costs initially, money can be saved in the long run\nby avoiding costly mistakes after system development. The GAO concluded that this approach\nhas helped the FAA improve its management of systems acquisitions and avoid costly late-stage\nchanges by providing for mid-course corrections.\n\nConsiderations for the Acquisition of COTS Software\n\nThe SEI has noted that the use of COTS products as elements of larger systems is becoming\nincreasingly commonplace. Shrinking budgets, accelerating rates of COTS enhancement, and\nexpanding system requirements are all driving this process. Also, GAO best practice guidance36\nnotes that the advantages of using COTS software include (1) a less costly development in\ncomparison to developing in-house applications, (2) software upgrades that are affordable and\nregularly available, and (3) a design that includes best practices.\n\nHowever, the use of COTS software also includes risks that require an iterative approach to\nsystem development. Through its COTS-Based Systems (CBS) Initiative, the SEI changes the\nfocus of software engineering from one of traditional system specification and construction to\none requiring consideration of and balance between:\n\n     \xe2\x80\xa2   system context (stakeholder and business process requirements and project management\n         aspects such as cost, schedule, and risk considerations;\n     \xe2\x80\xa2   marketplace (available and emerging COTS technology and products and relevant\n         standards); and\n     \xe2\x80\xa2   architecture and design (the essential elements of the system and the relationships\n         between them).\n\nFigure 4 provides a summary of the CBS approach.\n\n\n\n\n35\n   GAO testimony, Air Traffic Control, FAA\xe2\x80\x99s Modernization Efforts \xe2\x80\x93 Past, Present and Future, GAO 04-227T, dated\nOctober 30, 2003.\n36\n   GAO Executive Guide, Creating Value Through World-class Financial Management, GAO/AIMD-00-134, dated\nApril 2000.\n\n\n                                                        23\n\x0c                                                                                  APPENDIX II\n\n                          Figure 4: COTS-Based Systems Approach\n\n\n\n\n                            Source: The SEI COTS-Based Systems Initiative.\n\nThe SEI noted that numerous projects have unsuccessfully tried to integrate COTS software\nusing the more traditional approach of defining the requirements, formulating an architecture to\nmeet those requirements, and then trying to fit components into that architecture. The SEI,\ntherefore, recommends the use of a risk-based spiral, or iterative, system development approach\nto building, fielding, and supporting COTS-based systems.\n\n\n\n\n                                                 24\n\x0c                                                             APPENDIX III\n\n\n        FEDERAL AGENCIES AND INDUSTRY ENTITIES THAT PROVIDED\n        INFORMATION ON SDLC METHODOLOGY AND BEST PRACTICES\n\n\nFederal Agencies\nDepartment of Justice\nDepartment of Labor\nDepartment of the Treasury\xe2\x80\x99s Financial Management Services\nFederal Reserve Board\nFederal Aviation Administration\nGeneral Accounting Office\n\nIndustry\nCarnegie Mellon\xe2\x80\x99s Software Engineering Institute\nDeloitte & Touche/ Deloitte Consulting\nForrester Group\nInternational Business Machines\nPricewaterhouseCoopers\nQueen\xe2\x80\x99s University of Computing\nRational Software Management\nSoftware Productivity Research, LLC\nUniversity of Calgary\n\n\n\n\n                                             25\n\x0c                                                                                  APPENDIX IV\n\n\n                         PROJECT MANAGEMENT GUIDANCE\n\nThe Project Management Institute (PMI) has conducted extensive research and analysis in the\nfield of project management and published a standards guide in 2000 entitled A Guide to the\nProject Management Body of Knowledge (PMBOK\xc2\xae Guide). The PMBOK\xc2\xae Guide documents\nproven practices, tools, and techniques that have become generally accepted in the field of\nproject management, including information systems development and implementation. The\nPMBOK\xc2\xae Guide is an approved standard of the American National Standards Institute and the\nInstitute of Electrical and Electronics Engineers. The PMBOK\xc2\xae Guide identifies nine distinct\nknowledge areas associated with successful project management. The nine areas are integration,\nscope, time, cost, quality, human resources, communication, risk, and procurement management.\n\n   \xe2\x80\xa2   Integration Management: The processes that ensure various elements of a project are\n       properly coordinated. Integration management consists of project plan development and\n       execution and integrated change control.\n   \xe2\x80\xa2   Scope Management: The processes that ensure a project includes all of the work\n       required, and only the work required, to complete the project successfully. Scope\n       management consists of initiation and scope planning, definition, verification, and change\n       control.\n   \xe2\x80\xa2   Time Management: The processes that ensure timely completion of a project. Time\n       management consists of activity definition, sequencing, and duration estimating as well\n       as schedule development and schedule control.\n   \xe2\x80\xa2   Cost Management: The processes that ensure a project is completed within the approved\n       budget. Cost management consists of resource planning and cost estimating, cost\n       budgeting, and cost control.\n   \xe2\x80\xa2   Quality Management: The processes that ensure a project will satisfy the needs for\n       which it was undertaken. Quality management consists of quality planning, assurance,\n       and control.\n   \xe2\x80\xa2   Human Resource Management: The processes that make the most effective use of the\n       people involved with a project. Human resource management consists of organizational\n       planning, staff acquisition, and team development.\n   \xe2\x80\xa2   Communications Management: The processes that ensure timely and appropriate\n       generation, collection, dissemination, storage, and ultimate disposition of project\n       information. Communications management consists of communications planning,\n       information distribution, performance reporting, and administrative closure.\n   \xe2\x80\xa2   Risk Management: The processes concerned with identifying, analyzing, and\n       responding to project risk. Risk management consists of risk management planning, risk\n       identification, qualitative and quantitative risk analysis, risk response planning, and risk\n       monitoring and control.\n   \xe2\x80\xa2   Procurement Management: The processes related to acquiring goods and services from\n       outside the organization. Procurement management consists of procurement and\n       solicitation planning, solicitation, source selection, contract administration, and contract\n       closeout.\n\n\n\n                                               26\n\x0c                                                                                                       APPENDIX V\n\n\n     USEFUL BUSINESS MEASURES OF SYSTEM DEVELOPMENT PERFORMANCE\n\nIn the report, Measuring Performance and Demonstrating Results of Information Technology\nInvestments, AIMD-98-89, dated March 1998, GAO identified these useful information\ntechnology internal business measures of system development performance:\n\nApplications development and maintenance:\n   \xe2\x80\xa2 Number of function points37 delivered per labor hour\n   \xe2\x80\xa2 Number of defects per 100 function points at user acceptance\n   \xe2\x80\xa2 Number of critical defects per 100 function points in production\n   \xe2\x80\xa2 Percentage of decrease in application software failures and problems\n   \xe2\x80\xa2 Mean time to resolve critical defects\n   \xe2\x80\xa2 Cycle time for development\n\nProject performance:\n    \xe2\x80\xa2 Percentage of projects on time and on budget\n    \xe2\x80\xa2 Percentage of projects meeting functionality requirements\n    \xe2\x80\xa2 Percentage of projects using standard methodology for systems analysis and design\n\nInfrastructure availability:\n    \xe2\x80\xa2 Percentage of computer availability\n    \xe2\x80\xa2 Percentage of communications availability\n    \xe2\x80\xa2 Percentage of applications availability\n    \xe2\x80\xa2 On-line system availability\n\nEnterprise architecture standards compliance:\n   \xe2\x80\xa2 Number of variations from standards detected by review and audit per year\n   \xe2\x80\xa2 Percentage of increase in systems using architecture\n   \xe2\x80\xa2 Percentage of staff trained in relevant standards\n\n\n\n\n37\n   Function point analysis was first published by International Business Machines in 1979. It is a metric for the purpose\nof an economic and productivity analysis that uses weighted counts of five parameters: inputs, outputs, inquiries, logical\nfiles, and interfaces.\n\n\n                                                            27\n\x0c                       APPENDIX VI\n\n\n\nCORPORATION COMMENTS\n\x0c                       APPENDIX VI\n\nCORPORATION COMMENTS\n\n\n\n\n        29\n\x0c                       APPENDIX VI\n\nCORPORATION COMMENTS\n\n\n\n\n        30\n\x0c                                                                                                                                                 APPENDIX VII\n\n                                              MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\n     This table presents the management responses that have been made on recommendations in our report and the status of recommendations\n     as of the date of report issuance. The information in this table is based on management\xe2\x80\x99s written response to our report.\n\n                                                                                                                                                                  Open\n      Rec.                                                                                Expected            Monetary      Resolved:a      Dispositioned:b        or\n     Number               Corrective Action: Taken or Planned/Status                   Completion Date        Benefits      Yes or No         Yes or No          Closedc\n       1          DIRM will establish an Enterprise Program Management\n                  Office (PMO), which will standardize project management               December 31, 2005           N/A            Yes                No             Open\n                  processes across all information technology projects. This\n                  will include improved procedures for project initiation, project\n                  planning, project execution and control, and project closeout.\n          2       The DIRM PMO will periodically review the results from\n31\n\n\n\n\n                  performance assessment activities (such as quality assurance          December 31, 2005           N/A            Yes                No             Open\n                  testing and post-implementation reviews) to ensure that best\n                  practices and lessons learned are incorporated into future\n                  project/development processes.\n          3       The Corporation\xe2\x80\x99s EA program will assist in supporting\n                  decision-making bodies in determining which new system                December 31, 2005           N/A            Yes                No             Open\n                  projects will be undertaken and their alignment with new or\n                  existing architectures. The PMO will be one of many\n                  additional control points to ensure that the Corporation\xe2\x80\x99s EA\n                  is understood and applied to projects.\n          4       FDIC guidelines for applying NIST C&A new standards are\n                  in place, and briefings are underway to discuss the new               December 31, 2005           N/A            Yes                No             Open\n                  processes and evaluate impact on project plans. Internal\n                  procedures will evolve to address future changes in the NIST\n                  guidelines.\n     a\n       Resolved \xe2\x80\x93 (1) Management concurs with the recommendation and the planned corrective action is consistent with the recommendation. (2) Management does not\n     concur with the recommendation but planned alternative action is acceptable to the OIG. (3) Management agrees to the OIG monetary benefits or a different amount,\n     or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.\n     b\n       Dispositioned \xe2\x80\x93 The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved through\n     implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the\n     recommendation.\n     c\n       Once the OIG dispositions the recommendation, it can then be closed.\n\x0c'